set_permissions.sh scripts gives different permissions to rhel5 and rhel6 binaries: it sets linux capabilities to rhel5 and root permissions (setuid) to rhel6. This is because the "regular" libpcap-based capture (rhel5) doesn't need full root permissions to capture network packets on modern linux, while DPDK still requires root (or we haven't figured out how to make it run in non-root mode) ... View more

@mathiask, Sorry about the troubles.. We're working on a fix for this issue. Still, why is the rhel5 version referenced on an "RHEL 7" system ? Yeah, that's a bit confusing: rhel5 and rhel6 suffixes denote the lowest supported release versions for each binary. Stream generally supports RHEL5 (and its contemporaries from other distros) and up; the reason why rhel6 binary exists is because Stream also needs to support scalable data capture on a 10Gbps SPAN/TAP port, and Intel DPDK framework we use for that task requires newer kernel version, etc. ... View more

Yes, that's correct: Stream receives Netflow/sFlow/IPFIX data, decodes it and generates a Splunk event as configured per the corresponding netflow/sflow type stream(s) Yes, I believe this is the direction we're heading. Stream implementation is more scalable/feature reach, etc. ... View more

As of version 7.0, Splunk Stream supports collecting Netflow, sFlow and IPFIX data directly ... View more

Thanks for the info, and thanks for using Stream! We'll try to reproduce the permission issue you've encounter. ... View more

Usually this condition happens when the KV store is not working properly due to expired auto-generated SSL certificate or some other issue. What's the Splunk Enterprise version you're using? Do you see anything in $SPLUNK_HOME/var/log/splunk/splunk_app_stream.log or stream_installer.log or mongod.log? ... View more

it is not working in my current scenario and we resorted to running it with the set uid bit to make it work! Would you be able to share your OS/environment config? I'm assuming you work on the stream application, perhaps you can get the documentation updated? Thanks for pointing this out. I created a doc ticket, we'll fix the documentation shortly. ... View more

After running set_permissions.sh: [vshcherbakov@centos6 Splunk_TA_stream]$ sudo ./set_permissions.sh [sudo] password for vshcherbakov: setting capabilities setting setuid for streamfwd-rhel6 - linux 64 bit version [vshcherbakov@centos6 Splunk_TA_stream]$ [vshcherbakov@centos6 Splunk_TA_stream]$ [vshcherbakov@centos6 Splunk_TA_stream]$ [vshcherbakov@centos6 Splunk_TA_stream]$ ll linux_x86_64/bin/ total 96492 lrwxrwxrwx 1 vshcherbakov wheel 15 Nov 15 17:29 streamfwd -> streamfwd-rhel5 -rwxr-xr-x 1 vshcherbakov wheel 49276856 Nov 15 17:29 streamfwd-rhel5 -rws--x--x 1 root wheel 49528624 Nov 15 17:29 streamfwd-rhel6 [vshcherbakov@centos6 Splunk_TA_stream]$ ... View more

hmm.. this doesn't look right. Here's what I see on a fresh install of Stream 7.0 on CentOS 6.5: $ ll ~/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/ total 96492 lrwxrwxrwx 1 vshcherbakov wheel 15 Nov 15 17:29 streamfwd -> streamfwd-rhel5 -rwxr-xr-x 1 vshcherbakov wheel 49276856 Nov 15 17:29 streamfwd-rhel5 -rwxr-xr-x 1 vshcherbakov wheel 49528624 Nov 15 17:29 streamfwd-rhel6 [vshcherbakov@centos6 apps]$ ... View more

streamfwd is just a symlink that points to either streamfwd-rhel5 or streamfwd-rhel6 depending on the capture mode (agent/dedicated). On modern Linux versions, set_permissions.sh scripts configures streamfwd-rhel5 binary with Linux capabilities needed to run promiscuous packet capture, since it's more secure compared to setuid as root. streamfwd-rhel6 is a different case altogether, and it does need to be run as root. On older Linux machines, the script sets both rhel5 and rhel6 binaries to run as root. ... View more

Not sure I understand what the issue is. You need to restart Splunk or restart streamfwd modular input for the permission changes made by set_permission.sh script to take effect. ... View more

@ekremikizoglu, you can try adding the --systime command line option to override the timestamps in pcap file with system time, so the command line will look like "streamfwd.exe -r test4.pcap --systime" you can also enable network_interface field in the http protocol in Stream UI, so that you can use ... network_interface="*test4.pcap" in your SPL. You won't be able to see "stream:http" events from https traffic unless you configure the stream forwarder (Splunk_TA_stream) with the SSL server's private key. ... View more

Hi @Splunker, How does the Stream failure manifest itself (ie what stopped working after you upgraded)? Stream 6.6.2 has some UI issues on Splunk 6.5, but the bulk of the app UI should continue to work.. The new version is coming soon (we cannot give away the exact dates as it's subject to change, etc.) ... View more

Hi @ekremikizoglu, A few questions: What's in the pcap file and what streams are enabled on this instance? Stream will only generate the events for protocols/streams that are enabled. What's the exact SPL you're using to search for pcap events? ... View more

Hi @ekremikizoglu, This is a rather rare error - it basically indicates a symmetric decryption failure. Do you happen to know what TLS version/cipher suite is been negotiated? (you can use Stream to track it by capturing tcp traffic and enabling ssl_cipher_name and/or ssl_cipher_id fields) ... View more

add the following config parameter to Splunk_TA_stream/local/streamfwd.conf file: [streamfwd://streamfwd] streamfwdcapture.0.interface = eth1 See http://docs.splunk.com/Documentation/StreamApp/6.6.1/DeployStreamApp/ConfigureStreamForwarder#Use_streamfwdcapture_to_specify_network_interfaces for more details ... View more

OK, so you should be able to apply the config instructions from my previous response. Also, you probably want to make sure your web ops/info sec/network security people are cool with this change since different companies have different policies for SSL/TLS settings (for example, allow only strong encryption, etc.) ... View more

"cipher suite not decryptable" error you're now encountering is related to the ephemeral encryption, which means that even if you have the server key, you cannot decrypt the session. Hence, you need to disable the ephemeral cipher suites on the http server in order for Stream (or any other SSL decryption-capable network monitor) to be able to decode your traffic. This is sort of mentioned in the documentation, but it's definitely not explained sufficiently: By default, some web servers can negotiate session ciphers that do not use RSA private keys. These ephemeral key exchange protocols (such as Diffie-Hellman) make it impossible for any passive observer to decrypt the traffic, and are therefore not supported by Stream. To ensure that Stream can intercept all of your encrypted traffic, you might need to disable support for ephemeral ciphers on your web server. This does not make your web server less secure, because the web server uses equally effective alternative ciphers for the connection Main reason the doc doesn't specifically list setup instructions there is because different http servers require different config tweaking in order to disable ephemeral encryption. For example, to configure Apache server you need to set the SSLCipherSuite parameter in httpd.conf to something like SSLCipherSuite kRSA:!SSLv2:!SSLv3:!eNULL:!NULL or a similar cipher list string. See http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html and https://www-origin.openssl.org/docs/manmaster/apps/ciphers.html for more details. What http server are you using? ... View more

You're welcome! we're fixing this issue in the upcoming 6.6.1 maintenance release (should be available later this week or early next week) ... View more